CVE-2019-15010
CVSS V2 Medium 6.5
CVSS V3 High 8.8
Description
Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket Server or Bitbucket Data Center instance.
Overview
- CVE ID
- CVE-2019-15010
- Assigner
- security@atlassian.com
- Vulnerability Status
- Analyzed
- Published Version
- 2020-01-15T21:15:12
- Last Modified Date
- 2020-08-24T17:37:01
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* | 1 | OR | 3.0.0 | 5.6.11 |
| cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* | 1 | OR | 6.0.0 | 6.0.11 |
| cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* | 1 | OR | 6.1.0 | 6.1.9 |
| cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* | 1 | OR | 6.2.0 | 6.2.7 |
| cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* | 1 | OR | 6.3.0 | 6.3.6 |
| cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* | 1 | OR | 6.4.0 | 6.4.4 |
| cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* | 1 | OR | 6.5.0 | 6.5.3 |
| cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* | 1 | OR | 6.6.0 | 6.6.3 |
| cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* | 1 | OR | 6.7.0 | 6.7.3 |
| cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* | 1 | OR | 6.8.0 | 6.8.2 |
| cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* | 1 | OR | 6.9.0 | 6.9.1 |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:L/Au:S/C:P/I:P/A:P
- Access Vector
- NETWORK
- Access Compatibility
- LOW
- Authentication
- SINGLE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- PARTIAL
- Availability Impact
- PARTIAL
- Base Score
- 6.5
- Severity
- MEDIUM
- Exploitability Score
- 8
- Impact Score
- 6.4
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- LOW
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- HIGH
- Base Score
- 8.8
- Base Severity
- HIGH
- Exploitability Score
- 2.8
- Impact Score
- 5.9
References
| Reference URL | Reference Tags |
|---|---|
| https://jira.atlassian.com/browse/BSERV-12098 | Issue Tracking Vendor Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2019-15010 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15010 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 16:35:33 | Added to TrackCVE | |||
| 2022-12-04 09:43:50 | 2020-01-15T21:15Z | 2020-01-15T21:15:12 | CVE Published Date | updated |
| 2022-12-04 09:43:50 | 2020-08-24T17:37:01 | CVE Modified Date | updated | |
| 2022-12-04 09:43:50 | Analyzed | Vulnerability Status | updated |